An update for setroubleshoot and setroubleshoot-plugins is now availablefor Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

The setroubleshoot packages provide tools to help diagnose SELinuxproblems. When Access Vector Cache (AVC) messages are returned, an alertcan be generated that provides information about the problem and helps totrack its resolution.

The setroubleshoot-plugins package provides a set of analysis plugins foruse with setroubleshoot. Each plugin has the capacity to analyze SELinuxAVC data and system data to provide user friendly reports describing how tointerpret SELinux AVC denials.

Security Fix(es):

* Shell command injection flaws were found in the way the setroubleshootexecuted external commands. A local attacker able to trigger certainSELinux denials could use these flaws to execute arbitrary code withprivileges of the setroubleshoot user. (CVE-2016-4989)

* Shell command injection flaws were found in the way the setroubleshootallow_execmod and allow_execstack plugins executed external commands. Alocal attacker able to trigger an execmod or execstack SELinux denial coulduse these flaws to execute arbitrary code with privileges of thesetroubleshoot user. (CVE-2016-4444, CVE-2016-4446)

The CVE-2016-4444 and CVE-2016-4446 issues were discovered by Milos Malik(Red Hat) and the CVE-2016-4989 issue was discovered by Red Hat ProductSecurity.